The NSA is applying pressure on the TC engineers. The shutdown is a "canary."

The TC engineers shut down operations knowing they wouldn't pass a security audit.

Internal power struggle among TC engineers.

A weakness that was impossible to fix.

Someone at Gibson Research Corporation managed to get in touch with one of the TC engineers ("David") who plainly stated that TC was just calling it quits.

Over the past couple of days, a number of these theories were debunked, such as the TC site being hacked.

The team running an audit on the encryption software (Dr. Matthew Green at Johns Hopkins University and others) haven't come out with any definite conclusions, but a preliminary report earlier this year reported no major weaknesses. Dr. Green, who once felt that TrueCrypt was dangerous because of its lack of provenance, admitted that he "was starting to have warm and fuzzy feelings about the code, thinking [the TrueCrypt developers] were just nice guys who didn't want their names out there." (krebsonsecurity.com)

Could it be the NSA applying pressure? The theory goes, if the TC engineers are barred from mentioning NSA involvement, the open-source team's only move could be to shut down operations, like Lavabit did. This is known as a "canary" because it alerts people of the possibility of something noxious permeating the environment without directly saying so (the canary in the coal mine). Tinfoil hat proof: why would they suggest BitLocker in place of TrueCrypt? Obviously they were pressured.

The problem with this particular theory is that...well, that undermines the point of using a canary, no? Isn't the point of using a canary the ability to play legal jujitsu with your oppressor? How does that work if your opponent is calling the shots?

Let's Not Get Crazy

My take on all of this is: the TC guys grew tired. When TrueCrypt debuted 10 years ago, the encryption landscape sucked. TrueCrypt was a breath of fresh air. Not only was it free, it was easy to use. Backing up encryption keys was easy as well. You knew that encryption keys were being generated randomly because you had control over it. TrueCrypt didn't bog down your computer to the point of not working. It gave you "plausible deniability." It wasn't perfect, but it was up there with the other stuff.

Fast forward to 2014. The encryption landscape doesn't really suck anymore. You have many different options. Most work exceedingly well. The top three operating systems come with built-in support for encryption (well, for Microsoft you have to shell out a little more moolah for the ones that do).

Plus, it's been 10 years. That's a long time for a handful of engineers to support a free project. Think about it. They probably have families, or maybe are planning to have one soon. Seeing how TrueCrypt does its thing very well, the TC engineers are a talented bunch. Chances are that they've taken on more responsibilities at work (you know, that thing that pays them money, unlike TC) or are involved in other projects. In other words, the time these guys (and gals. Who knows?) have for keeping TC up and running is probably dwindling down or non-existent. Their options are to have someone else take hold of the reins or shut it down.

The former, if the articles I've read can be trusted, is not really an option because TC is so complex that its creators are loth to put someone else in charge. What if weaknesses are inadvertently introduced due to the new engineers' unfamiliarity with the code?

The logical action, then, is to kiss TrueCrypt bye-bye.

Viral Marketing Genius

But, if shutting down operations, how to do it so that everyone gets the message? Not only that TC will be no more but also that TC users should transition to some other encryption software? After all, you're a good guy, you created and released this privacy-enhancing software for free... you feel a certain responsibility that people's data should be secure... and using expired encryption software isn't really going to cut it.

Forcing people to stop using software is nearly impossible, as many companies have found out (including Microsoft. Wasn't XP supposed to be retired years ago?), so how to do it? The method for doing so is inspired: plant the seeds of uncertainty in a product people trust. After all, the one thing you won't use, if you can't trust it, is encryption software.

Plus, look at all the publicity it got. Would an announcement that lacked controversy gotten as much attention? (More publicity = more people who hear the news about TC and the transition to other encryption software.)

Which brings up the question, why BitLocker? Here's my answer, which is obviously speculative: Microsoft's entrenched worldwide. Collaborating with the NSA or other agencies to weaken BitLocker will blow up spectacularly in Redmond's face, sooner or later. Microsoft can't afford that because close to half of their revenues come from outside the US. As the PRISM scandal last year showed, the slightest controversy becomes a reason to use an alternative.

Also, Microsoft has got deep pockets. Microsoft's cash flow and lawyers will allow them to mount an offense against any pressure, which they'll have to do if they want to protect that cash flow. Only companies the size of Microsoft can realistically counter it.

Is this the correct explanation? I don't know, but it's pretty low on the tinfoil factor. That's gotta count for something.

Let's say you are the owner of one of the i-products: iPhone, iPad, or iPod (touch). There are Apple MDM products designed to secure these devices. Likewise, Macintoshes can be secured using Apple's File Vault 2, a disk encryption software that comes free with every Mac sold in the last two years.

You're feeling secure, right? Except that a bunch of Aussies woke up to find that this was not the case.

Ransomware Using Apple's Own Resources

The big news in the Land Down Under is that some guy going by the name of "Oleg Pliss" was asking for $100 USD/EUR to unlock i-devices that were hijacked. The very likely method was via Apple's iCloud, which allows the control of the "Find my iPhone" feature for tracking and disabling devices. Apple immediately responded to the news that they were not hacked, that they did not suffer a data breach.

The current consensus is that hackers managed to take information from another site's data breach and use it to their advantage with Apple's website. This is why you shouldn't be using the same passwords everywhere. It's also the reason why so many hacked websites suggest resetting passwords for any and all other websites you access.

Australia Only

Interestingly enough, the breach appears to be limited to Australia despite the ransom being for US dollars or Euros (if you're paying, pay in dollars because 100 Euro is $136. Why overpay?). What does it all mean?

It could mean that the hacker in question was unaware that his database of potential victims was limited to Australians only. Or, this could be a preliminary stage before the hijacking goes worldwide (Australia pop.: 23 million. USA pop.: 318 million. Europe pop.: 740 million).

Or, it could be the world's worst joke. Bear with me here. When you think about it, the operation was not carried out very professionally. Most people were able to regain control of their phones without paying anything. Those who did pay were promised a refund by PayPal, the account of choice by our anonymous hacker. As most people who've dealt in the underground economy know (as well as eBay enthusiasts), PayPal has this unacknowledged policy of reversing charges if the money sender complains about a transaction. Even if this were a dry run for bigger things to come, you'd at least make sure to use a payment account where money you received remains securely under your control. So, again, the thing wasn't executed very well if the objective was to gain some coin, either today or sometime down the road.

On the other hand, if this were done as a lark or on a dare...then, yeah, I can see how you'd just coast over the small details that makes or breaks an online heist.

Maricopa County Community College District (MCCCD) is making the news again... for the same data breach (yet again). The site azcentral.com is reporting that MCCCD's costs related to last year's data breach has gone up yet once more, by another $2.3 million. The college district has spent nearly $20 million since the data breach was revealed.

This incident shows how bad things can get when one decides to just ignore the risks of a data breach (like when companies opt to face the consequences of a low-level risk event instead of using laptop encryption because, hey, not encrypting is free).

A Bad Move

One of the most damming aspects of the MCCCD data breach is that they had experienced a previous data breach in 2011. As a result of that breach, MCCCD's IT department had predicted with high precision what could happen in the future if security weaknesses were not addressed.

These were not addressed and, lo and behold, they had a massive data breach in 2013. So, is it any wonder that MCCCD is now spending $20 million (and possibly more) to clean up after this mess?

Now, MCCCD could point out that they are the victim, and they'd be right. But, they're also the perpetrator. Let me compare it to something else. Let's say we're talking about banks and money.

There is a bank. Their security personnel points out that a four-year-old could toddle in and steal the money in the bank's vaults, and recommends fixing the problem. The bank's officers decide not to solve the problem. Two years later, someone steals money from the bank's vaults, following the exact method previously described by security personnel. Is the bank a victim? Yes. Did they deserve it? No. Did you see it coming from a mile away? Yes. Does it feel like the bank's a victim? Of course not.

To MCCCD's credit, they didn't play the victim card. But plenty of other companies and organizations have under the same exact conditions (and more will most probably do so in the future).

What's Next?

Things are not over for MCCCD. While it's a long shot, the groups suing MCCCD could come out on top in the courts. For instance, what's to stop the hackers who stole MCCCD's data from suddenly hawking it in the underground black market? Then, the students who were affected by the data breach start connecting the dots, and boom! you've got a viable case on your hands.

And, even if this were to not happen, there's another aspect of MCCCD's data breach that should be worrying the college district: namely, the fact that they ignored recommendations to strengthen their data security.

The lesson is a familiar refrain: an ounce of prevention is worth a pound of cure.

eBay, the online auction powerhouse based in San Jose, California, has announced that hackers infiltrated the company's networks. The intrusion's damage was mitigated to an extent by the use of data encryption; however, the company is asking all users to change their passwords. Although the extent of the damage is not yet know, it appears that the hackers had access to databases that contained 145 million records.

That figure makes this latest hack the second largest in history, behind Adobe's 152 million user breach in October 2013.

How Many Out of 145 Million?

The breach occurred sometime between late February and early March of this year, according to reuters.com, when a number of eBay employees were successfully phished by the hackers. Although the hackers did access the records of 145 million users (more specifically, bloomberg.com notes they were "active buyers." No word on how such buyers are defined, and whether there was a separate set of records for non-active buyers), eBay spokespeople have stated that the online criminals were able to copy only a large part of the database.

Records that were stolen include encrypted passwords, dates of birth, mailing address (so quaint!), and other personal information...but nothing that includes financial data.

Change Your Passwords

Company officials are recommending all users to change their passwords despite the use of encryption on the passwords:

EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them. [reuters.com]

Does this mean that eBay made sure their password encryption was implemented correctly? We've seen in the past how passwords were not salted (to make them even more unique) or were curtailed, making them less secure. Or is this just a legal / PR department jujitsu move that means they literally don't have a reason to believe that the encryption was broken?

At least one person seems to have tossed his hat in the second camp:

Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so. [reuters.com]

Perhaps. On the other hand, if you are a responsible adult, what would you say? Don't change your password? That just seems so irresponsible.

Security is About Layers, Managing Risk

The one thing that people should remember in times like these is that security is not about eliminating risk, it's about managing it. Despite the numbers involved here, it looks like eBay went about things the right away: they caught and announced the intrusion in a relatively short period, had adequate security measures, and made sure everyone heard about it.

Of course, this will probably not prevent a lawsuit from being filed, but it should be pretty easy for eBay to get them dismissed from court.

Looking over my newsfeed, I see that many healthcare-focused sites have been proclaiming that the Feds are getting serious over missing laptops and pushing the story on the importance of HIPAA laptop encryption. Earlier this month, the Health and Human Services Department's Office for Civil Rights (OCR) announced million-dollar settlements with Concentra Health Services and QCA Health Plan.

The former settled for approximately $1.7 million, while QCA agreed to a $250,000 settlement. The latter's settlement pales in comparison to Concentra's (or to the other two big HIPAA settlements this month, New York Presbyterian Hospital and Columbia University Medical Center: $3.3 million and $1.5 million, respectively).

Indeed, on the surface of it, the latter's penalty is confusing because QCA appears to have been more negligent.

Fines Up to $1.5 Million

You may have noticed that Concentra's fine goes over the $1.5 million so-called "monetary penalty cap" under HIPAA. This is not the first time something like this has happened. NY Presbyterian, as I noted above, paid $3.3 million for its data breach and Cignet Health in Maryland was fined $4.3 million. The unexpectedly high dollar figures are easily explained. The cap is "per incident." If Concentra had engaged in multiple HIPAA violations, then the sum of the penalties associated with these violations is not limited to just $1.5 million, although that is the limit for each HIPAA violation (not to be confused with each data breach).

OCR deputy director of health information privacy, Susan McAndrew, had this to say regarding Concentra and QCA settlements: "Our message to [HIPAA covered entities] is simple: Encryption is your best defense against these incidents."

But there may be more that the OCR wants to tell us.

Laptop Theft in Car < Laptop Theft in Premises?

Another thing that should attract your attention is the location where the respective data breaches took place. QCA's unencrypted laptop was stolen from an employee's car, a classic no-no. Concentra's unencrypted laptop was stolen from one of its facilities.

This could be a warning to covered entities that falsely assume they can skimp on encryption if data is not expected to be taken out of their security perimeters, among other things (such as properly documenting everything).

The BBC is reporting that Minnesota has introduced a kill switch bill for smart phones (and has beat California to the punch). A "kill switch" is a way to incapacitate a phone, usually permanently. It's a smart phone data security feature that's already found on many phones, although not turned on by default. In my opinion, it takes a backseat to smart phone encryption since a kill switch still features a time lag, between when a phone is stolen and the kill signal is sent. This could mean minutes or hours. Even days.

However, the big idea behind the kill switch legislation is not to protect people's data, but to eventually bring down the resale price of smartphones to zero – and thus make them an undesirable target for thieves.

Rising Crime Rates

One of the more fascinating stories over the past five years has been the rising rate smartphone crimes. It has been reported that the NYPD even has a team dedicated to iPhone thefts. Some have noted that crime rates appear would appear to be down overall...if the theft of smart phones are excluded.

With an impact like that, you can imagine why people are interested in preventing smart phone thefts. (This is not merely a matter of theft. People have been physically harmed, even killed, when they were mugged expressly because of their smart phone).

Kill Switches

There are two types of kill switches, as the BBC explains. The "hard" type incapacitates a phone permanently; that is, it becomes an expensive paperweight. A "soft" kill switch makes the "phone unusable 'to an unauthorized user,'" which I take it to mean that it messes with the OS. Just reload the operating system, and presto!, you've got yourself a working phone.

Obviously, the former type is better than the latter type if one is trying to curb smartphone-related crimes. A hard kill switch, when activated, would turn a smartphone into a brick, and make it about as profitable. But does it work?

Smart phone thefts are not as rampant in Europe, supposedly. The contrast is attributed to European laws that require kill switches, not to mention mobile carriers working together to ensure that stolen phones are rendered unusable. This is not to say that black markets for stolen smartphones do not exist, as the BBC reported last month. But, smartphone thefts are down in London.

But, as long as the phones can be activated in another region (China is a popular destination, apparently), smartphone-related crimes will never actually disappear.

Aluminum Foil Can Defeat Kill Switches

Speaking of other regions...kill switches can be easily defeated: you just have to prevent the signal from reaching the phone. And preventing it is easy and cheap. Assuming that a password is not in place (which you seriously should think of using), just turn on the airplane mode. This prevents any communications to and from the device, and renders the kill switch useless.

If access to airplane mode is impossible, just wrap it in aluminum foil. Or create what I call a poor-man's Faraday cage: an aluminum envelope three layers thick. Drop the phone in, roll over the open end so as to enclose the object within, and you've blocked the smart phone from receiving any type of data. Shoplifters use something similar to bypass the security tag-and-gate systems.

Which is why, even if all US states and the federal government were to pass a kill switch law, you still want to make sure that that is your backup in terms of security. You want to make sure that a big part of BYOD security, mobile phone encryption, is turned on. All current phones being sold in the market come with disk encryption for free. Make use of it.